RBI Master Direction for IT - NBFC: Audit & Compliance Services

RBI Master Direction for IT - NBFC: Audit & Compliance Services

Reserve Bank of India (RBI) has issued Master Directions - Information Technology Framework for the NBFC Sector, 2017 on June 8, 2017. The focus of the framework is given to IT Governance, IT Policy, Information & Cyber Security, IT Operations, Information Systems Audit, Business Continuity Planning and IT Services Outsourcing. The Non-Banking Finance Company (NBFC) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, RBI is expecting its Information Technology and Information Security framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. to be planned, implemented and audited.

How CyberNX can help NBFCs to implement and sustain RBI Master Direction

CyberNX can help the NBFCs to conduct a formal gap analysis between their current status and control requirements stipulations as laid out in the Master Directions and define a time-bound action to address the gap and comply with the guidelines.

In order to help NBFCs to achieve compliance, CyberNX has designed following services:

1. Gap Assessment Report against RBI Master Direction
   1. Audit the current practices and state and provide a gap assessment report
   2. Report will contain current practices and compliance areas
2. Remediation of Gaps
   1. Assistance in remediating the gaps identified during gap assessment phase
   2. Define or modifying policies, processes, evaluating effectiveness controls etc
3. Continuous Compliance or Sustenance of RBI Guidelines
   1. Provide trained man-power for maintaining compliance
   2. Provides monthly reports, progress charts on the engagement
   3. Schedule and conduct meetings required as per RBI Master Direction

As part of the consulting program, CyberNX Governance, Risk and Control (GRC) team can assess or help in ensuring following activities as required in the RBI Master Direction for IT- NBFC.

Information Security & Governance Related

• Create and facilitate approval of mandatory documentation kit as per RBI Master Direction for IT-NBFC
  • Create an IT and Information Security Governance Structure
  • Create and facilitate approval of Information and Cyber Security Policy (ISCSP)
  • Build a Cyber Crisis Management Plan (CCMP) and Incident Reporting Template
  • Define an IT RISK Management Policy Framework
  • Define an IT Outsourcing Policy Document
  • Create Business Continuity Policy Document
  • Information Security Audit Policy
  • Acceptable Usage Policy (AUP)
  • Logical Access Management Policy
  • Incident Management Policy
  • Change Management Policy
  • Information Backup and Restoration
  • Business Continuity Management System (BCMS) Policy document
  • Business Continuity Management System (BCMS) Plan and Test Report
• Technical Vulnerability Management (Patch/VAPT) and remediation on Servers and Endpoints
• Recommendation of Essential Cyber Security Tools.
• Information Security Awareness Session
  • Employee Awareness Sessions
  • Senior Management Awareness Sessions
  • Information Security Awareness Mailers to employees
  • Phishing campaign to evaluate awareness effectiveness.
• Identification of Information Asset Register (IAR)
• Classification of Information Asset Register
• IT Risk Assessment based on the (A/T/V/P/I), Risk Treatment Plan / Residual Risk Register
• Cyber Crisis Management Plan (CCMP) Mock Drill and Simulations
• Server Logging and Monitoring through 24 X 7 SOC
• Server Security Posture Assessment and Remediation

Compliance of IT Policy & Strategy:

• IT Policy and Strategy documents (by covering IT Governance, IT Operations domain)
• Formation of Information Security Steering Committee (ISSC)
• Formation of IT Strategy Committee (ITSC)
• Prepare Essential Documentations & Conduct ISSC and ITSC Meetings as per RBI Master Direction for IT-NBFC
• Ensuring Essential Documentation and Minutes of the Meetings of ISSC and ITSC Meetings